Category Archives: New Releases

New iPhone biometric control (Touch ID) and its "vulnerabilities"

Touch ID
Recently Apple added the Touch ID Sensor to the new iPhone device. It is a biometric control that claimed to be pretty secure, after all it’s a biometric control. Biometrics are usually harder to break than other types of mechanisms and they are harder not just because how they are implemented but because of the difficulty in acquiring the required material to spoof it. In a recent post by The Hacher News (http://thehackernews.com/2013/09/finally-iphones-fingerprint-scanner.html) a group of infosec specialist found a way to fool the biometric control giving it a fake fingerprint (watch the video). While this is not actually hacking the system but it’s a way to unlock the device.

I am sure there will be more post and news doing the same thing. Even that’s one of the first things I think when I saw the new feature. There are a lot of ways to fake fingerprints: jelly, glue, stickers and more. I prefer glue it’s the easiest way and if you use a fake fingerprint to bypass a biometric mechanism you are not actually hacking the system. The security of these controls is based, as I previously said, on the difficulty in acquiring the real fingerprint. Sure, you are leaving your fingerprints everywhere in everything you touch but getting a good one that could work can be really hard.

To hack the system you would have to give the system another fingerprint and force the system to authenticate with that fingerprint. Because it is a very difficult process it is usually easier to obtain the victim fingerprint.

Would you trust in the Touch ID security system ?

PassMark en la banca por Internet de Santander

Recientemente Santander comenzó a liberar una actualización en su banca por Internet llamada Supernet. La actualización se enfoca específicamente en el modelo de seguridad que utiliza para proporcionar acceso a los usuarios a su cuenta. De qué trata este nuevo modelo de seguridad? Originalmente con las credenciales fortalecidas que nos solicitan ahora los bancos para acceder a nuestras cuentas + los tokens que nos proporcionan para teclear el número que nos arroja + algún número de cuenta, número de cliente, num de tarjeta, etc etc etc, lo que los bancos quieren lograr es garantizar que el usuario correcto, en este caso nosotros, estamos accediendo a nuestra cuenta y no que cualquier otra persona, un hacker por ejemplo, pueda acceder a nuestra cuenta, es decir, esos mecanismos garantizan hasta cierto punto que el cliente o usuario es quien dice ser. Pero, quien nos garantiza a nosotros que la aplicación es a la que realmente queremos acceder ? No por el hecho de que en nuestra barra de direcciones aparezca el dominio completo y correcto de la aplicación implica que es la aplicación real del banco. Existen ataques como el pharming o algunos tipos de Man In the Middle que podrían falsificar la aplicación y enviarla al usuario aparentando ser la aplicación real cuando realmente es otra preparada específicamente para obtener nuestros datos confidenciales. Bueno, esa actualización de seguridad que se liberó es precisamente para garantizar, hasta cierto punto, eso.

Este método de seguridad surgió hace ya varios años e irónicamente se supuso que no iba a dar los resultados esperados ya que tiende a ser muy sencillo (sin tanta criptografía o mecanismos complejos de por medio). Se le llamó PassMark y poco a poco las instituciones bancarias lo fueron adoptando hasta ahora llegar a México.
Read more »

The Google Chrome Netbooks security


Recently Google announced its Google Chrome netbooks aka Chromebooks. They have great features like 3G support, boot time of seconds, automatic updates, review of core files integrity on every boot and more. With all these new functionalities on netbooks the security is extremely important because they have no experience with this set of technologies and they don’t know how people will take these changes and how “hackers” will take this new challenge.

Let’s review some of the security concepts and possible cons within the Chromebook.
Read more »

[MAX09 – 01] AIR 2.0, New features

In Adobe MAX I could attend many many conferences and I’d like to share the info.
In this first post I will tell you about the new features that are coming with AIR 2.0

  • Start native processes and applications: In AIR 2.0 you will be able to start a native application installed in the OS from you AIR application. This is very very useful.
  • Native Installers: You’ll also have Native Installers for the OS. You will be able to generate .exe, .dmg, .rpm or .deb when you package the file. Obviously the .air file is also included in the list.
  • New classes. FilePromise, URLFilePromise: You will use these classes when you want to download a file from the server but you don’t have the file reference yet. That’s why you will be telling AIR that you have a promise of a file.
  • Socket servers: This is an extraordinary feature. You will be able to configure and start a socket server from the AIR application. We know that FlashPlayer can connect to socket servers but now you will be able to start one from the AIR app and also secure socket servers with TLS
  • IPv6: Now you’ll have compatibility with IPv6.
  • NetworkInfo class: With this new class we can check detail information about the network in the hosting device. Information like the interfaces that are available in the host.
  • UDP support: We can now connect by UDP.
  • Audio encoding: This is an extraordinary functionality because with this feature we will be able to record the sound captured by the microphone without any server like FMS or any other. Basically we can encode the sound raw info as a sound.
  • Global Error Handling: Have you ever tried to handle the multiple errors that you forgot to catch ? Now we can do it. The global error handling will work as a general try and catch block for any exception that could happen during the app execution.
  • JavaScript Debugging and profiling: The ability to debug and profile javascript code in the AIR app will be integrated into the AIR 2.0 runtime. Profiling will be only available from Aptana.
  • New webkit features: Now the engine has a module that supports CSS3 :-D, custom styles can be applied to scrollbars, we can break up text across columns, and more.
  • Profiles for AIR applications: Defined in the application descriptor, we now have a set of profiles that enable/disable some functionality in the Application. We have a “desktop” profile, a “NativeDesktop” profile (for native installers), “mobile” profile (for mobile AIR applications) and “extenden mobile” profile.
  • AIR Mobile applications: Yes, we can now create AIR applications for mobile devices, including the iPhone and the applications for iPhone will be package as .ipa, a native iPhone Application.
  • New AIR and Flash Player versions on July 2009

    As you may know there were discovered some critical vulnerabilities in Flash Player, Adobe AIR, Adobe Reader and Acrobat. These were important and forced Adobe to update the products as soon as possible.
    If you want to know the details of these vulnerabilities, you can read the next article http://www.adobe.com/support/security/bulletins/apsb09-10.html

    A new version of Flash Player was released the last week. Actually there were two versions: Flash Player 10.0.32.18 and 9.0.246. Both of them can be downloaded directly from the Flash Player Downloads page. There, you can get debug and projector versions of the Flash Players. As you can see, Adobe also updated Flash Player 9 instead of just updating Flash Player 10, this was because if you can not have Flash Player 10 installed in you machine for any reason, you will also be protected if you install the new Flash Player 9.
    Adobe also released a new version of Adobe AIR, the 1.5.2.8870 version. You can download this version directly from Adobe web site. Besides the fixed vulnerabilities in this new version, there were released more features like the isPerUser property in LocalConnection instances and, for Flash Player 10.0.32.18 and 9.0.246, the modification made to FileReference.save when running Internet Explorer in protected mode. You can see the details in this page http://kb2.adobe.com/cps/497/cpsid_49735.html.
    Talking about AIR 1.5.2 if you want to use the new features and code hinting you should download the new SDK also released (1.5.2) and change it in Adobe Flex/Flash Builder and Adobe Flash installations. You can get the SDK here http://www.adobe.com/cfusion/entitlement/index.cfm?e=airsdk. Also don’t forget to change the AIR version in the XML descriptor file of you new AIR application.
    That’s all for now.Regards.

    Adobe Acrobat.com Presentations

    Personally I like working everything I can on the Internet. One of my favorites applications is Buzzword and my favorite Service is Google Apps.
    Well, today Adobe announced another of its services, this time called, “Presentations” and will be hosted on Acrobat.com. But, in the meanwhile, it is hosted on Acrobat.com labs.
    Acrobat.com Presentations lets us create presentations that can be shared across the web, can be edited by multiple users at the same time and, obviously, can be viewed anywhere in the world because it lives in the Internet and because you only requires Flash Player 10.
    All you need to test this new service is an Adobe account. With your account, go to https://acrobat.com/ and Sign in, then go to the address bar and enter https://labs1.acrobat.com/ this is the labs site of Acrobat.com. Ready!!! you can start playing with this amazing service.
    There you’ll find a sample presentation that will show you how to use this service. I think, I will create a presentation for a new course.
    The Official can be found here http://eon.businesswire.com/portal/site/eon/permalink/?ndmViewId=news_view&newsId=20090526005256&newsLang=en and you can find more information about this service in Adobe Labs.
    Well, enjoy it!!!

    Creating a new Twitter client for mobile devices

    Yesterday I decided to create a Twitter client for mobile devices. This new client will be created in Flash and you will be able to use it if you have Flash Lite 3 installed on your device. Flash Lite 3 can be installed in many many devices and actually there are some of them that have Flash Lite 3 preinstalled.
    Right now I’m in the planning stage and, with this post, I’m asking for feedback and some functionality that you’d like to see in this new client.
    Some people already told me what they would like to see.I’ll list what I have today.

  • Based on Twhirl
  • Retweets
  • Direct Messages
  • Favorites
  • Identify conversations
  • Short URL
  • Support for images
  • Avatars
  • Lookup and search
  • Friends and Followers
  • Hints while typing twitter IDs
  • If you have any other functionality that you want to add to the client, please comment in this post.
    Kind Regards.

    New releases from ServeBox

    ServeBox team has released a new version of the ActionScript Foundry framwerork. The new version 2.1.0 brings some fixes and add numerous new functionalities. The framework is now compatible with Spring ActionScript ( prana ). Improvements are listed below :

  • Added a useNameAsMatchPropery on SmartForm. This property is used to force SmartForm mechanism on name property instead of Id property. e.g : If the linked value object has a “label” or a “name” property , you will not be able to create a SmartForm element with “name” as id, this is a reserved work.
  • Load mechanism for external resources at startup refactored.
  • ISMartFormElement change event forwarded to SmartForm.
  • Added a rendererPaddingTop for SmartForm renderer alignment.
  • Use of flex SDK 3.2.0.3958.
  • ServeBox has also released a new version of Flex Plugin for Maven. The new version 2.2.0 contains a lot of new improvements :

  • Improved RSL dependencies support.
  • Improved compilation when optimize option is set to true.
  • Added modules support, modules can be configured, compiled and defined with flex:eclipse mojo.
  • Support of post-compilation optimization for modules.
  • resourcesDirectory option added.
  • resourcesPath added to compileSourceRoots.
  • Added localesDirectory property which allows locales compilation prior to artifacts compilation.
  • Added locales property (which now takes precedence on the former locale property).
  • You can find more on the ServeBox.org team’s blog.

    ServeBox Releases Foundry 2.0 [ Flex / Java framework ]

    Since december 1st, ServeBox.org brings together Maven Flex Plugin and ActionScript Foundry projects. AS Foundry was created in 2005. In 2007 the project turned into an open source project available on SourceForge. The new version 2.0 brings some fixes and add numerous new functionalities.
    ServeBox’s ActionScript Foundry (AS Foundry) is made of productivity tools and ActionScript 3/Java framework. This framework leverage the power of both universe : Flex and Java.
    Based on design patterns, the AS Foundry framework reduce the development cycle of complex applications. Indeed, you will find ready-to-use tools : data synchronization for MVC model, authorizations, internationalization, and even more ! This framework is divided into 5 librairies :
    Commons : base types and tools,Foundry : MVC Framework,AirFoundry : ASFoundry extension in order to use it with Adobe AIR.Toolbox : advanced toolbox (navigation, ACL, full-text search…)Foundry-Java-Commons : Java classes created to speed up the development cycle for the client-side (Flex) and server-side (FDS-LCDS-BlazeDS).
    You can use on of tutorials available on www.servebox.org to understand how Foundry works.
    Just take a look at it.

    Juice, a new excellent firefox extension

    Today I downloaded this new extension for firefox called Juice.
    If you’re one of the people who loves being informed and to know about everything, or almost everything, I can tell you that you need this extension.
    Juice allows you to watch news, videos, images, blogs and everything in just one sidebar divided by tabs and buttons. You just have to drag any text from the main browser window to anywhere in the browser and Juice will try to find everything about that text.
    You can also save your images and bookmark your favorite videos in Juice.
    You should take a look at this new extension.
    Best.